Even when your Chromebook is locked, bad actors can access it using a "Rubber Ducky," or malicious USB drive that mimics a keyboard. Chrome OS will soon put a stop to those attacks with a feature called USBGuard, seen in a Canary Chrome build by Chrome Story. It stops the operating system from reading code or executing commands from USB devices when your Chromebook is locked. The feature is similar to what Apple introduced in a recent build of IOS 11 that stops USB activity if a device has been locked for more than an hour.
Devices already plugged into a Chromebook when it's locked will continue to function, ensuring data transfers won't stop, for instance. Once the feature arrives, you should be able to opt in to use the service and whitelist USB devices like a keyboard or mouse.
Chromebooks are considered more secure than Windows and other devices, especially for clueless users (I'm talking to you, Aunt Gertrude with six spyware toolbars). However, any computer can be vulnerable to Rubber Ducky devices, essentially miniature computers that pose as keyboards and inject pre-programmed keystroke sequences at up to 1,000 wpm. All of this can be stopped just be disabling the USB port, so the USBGuard feature -- coming to Chromebooks in the near future -- is welcome news.